[billpg]

[quote1238655253=TCMuffin]
I hate to say this again…..but have you referred your concerns to Samsung Tech Support?
[/quote1238655253]

I will, don’t worry.

[billpg]

[quote1238653405=Don_Audio]
You got way to much time on your hands to worry about things that simply dont matter for regular pc users.

Unless your are an genius that works on a flux capacitor nobody wants to even bother with your NC10.
[/quote1238653405]

No one wants to attack me personally, yet there are an awful lot of people trying to trick me into running malicious EXEs. In general, they don’t attack individuals, but populations.

The people who wrote (say) Conficker don’t even know who I am. Doesn’t mean I’m not being attacked.

[quote1238653405=Don_Audio]
What amazes me is how much time you spend on speculative questions and the overall high level you’re trying to carry the discussion.
[/quote1238653405]

To be honest, the only question I really wanted to ask was Q1 (is it possible). The issue of if it is likely anyone would do this is interesting (to me) but ultimately doesn’t matter (to me).

[quote1238653405=Don_Audio]
I for myself think that everything has been said and that even trying to work through any more speculative questions would be a huge waste of time and energy. Therefore i’ll bail-out of this Discussion.
[/quote1238653405]

Thank you for your contribution, especially “There is an Option that write-protects the BIOS and this Switch can’t be flipped by Software.”

[billpg]

Hello again everyone. I’m sure you are all sick of this, but we covered several different topics at once, so I hope to nail down some facts.

Q1. Can a process running inside Windows on an NC10 modify the BIOS and have it run in place of the real BIOS?

Let’s leave aside if its likely anyone would even try. Could a hypothetical person who is willing to spend the time researching how to do it, and i’m foolish enough to run any EXE file emailed to me, infect my NC10 with a mal-BIOS? This question is a matter of fact, not opinion.

I don’t know what the answer is, from the responses here, some say ‘Yes’, but Don_Audio says “There is an Option that write-protects the BIOS and this Switch can’t be flipped by Software.” So hopefully all I would have to do is set that option and suddenly my BIOS is unchangable forevermore. Woo hoo.

(If the answer to this is ‘No’, the rest of this post is moot.)

Q2. Can I restore a modified BIOS to a Samsung approved state, without specialist equipment?

I don’t know. But for the answer to be ‘Yes’, there would have to be a read-only pre-BIOS (or a similair mechanism) that allows me to write into the BIOS without any co-operation from the mal-BIOS.

‘Specialist equipment’ could be a JTAG interface. There’s nothing code can do to prevent being overridden by such a low level interface. Pity I don’t have such equipment lying around.

Q3. How likely is it that an attacker would attempt to infect the NC10 BIOS?

Now we have a question of opinion, rather than fact. So far as we know, no-one’s tried it yet and it’s all in the realm of academics and researchers for the moment.

Many here have expressed the opinion that its unlikely, if I may summarise…

A. The baddies can (and do) set up a zombie botnet with just access to the hard disk.
B. The baddies would have to research the NC10 specifically.
C. The NC10 (and mini-laptops in general) are a low-value target for attackers.

I disagree, but this just my opinion.

A. BIOS hosted malware would be less detectable and would survive a hard disk wipe. Both valuable to the criminal attacker over hard disk hosted malware.
B/C. An attacker wouldn’t have to research the NC10 specifically. They would be more likely to write code to try all the address ranges and CPU ports where the BIOS tends to live until they get a hit. They wouldn’t know in advance what variety of computer they are attacking, and they wouldn’t care.

Q4. What competitors to the NC10 can answer ‘No’ to Q1?

Its looks like this design is common in the mini-laptop market. My choice looks like having to put up with this flaw (as I would see it) or do without a mini-laptops altogether. (I don’t like that second choice.)

I still want an NC10. Its looking like I’m going to buy one anyway. But if, in the future, someone actually does go and spread some BIOS malware that the NC10 is vulnerable to, I shall try very hard to resist my urge to post “I told you so” messages. (I’ll probably fail. I’m weak.)

Thanks for a great discussion, billpg.

[billpg]

[quote1238453557=KiNeL]
For what it’s worth I have been playing with PC’s for nigh on 20 years and can only recall flashing one BIOS which was to recognise an upgraded AMD CPU on a Gigbyte dual BIOS MOBO (still running it BTW). BIOS updating is hardly a day to day activity.
[/quote1238453557]

And that’s what so maddening about this issue for me. I don’t want to change the BIOS. Its such a rare event. Imagine I got my way and all NC10s magically had a switch added into the write enable line of the flash chip. Would anyone even notice?

[quote1238453557=KiNeL]
Despite it’s popularity the NC10 is but a transient blip on the Netbook scene and although there has been one BIOS update I seriously doubt that anyone would waste their time trying to write a malicious replacement.
[/quote1238453557]

I would disagree for the reasons I mentioned in an earlier posting. *IF* its possible to infect a BIOS, there is plenty of incentive to do so.

[quote1238453557=KiNeL]
Buy an NC10 and get on with your life lol
[/quote1238453557]

I may end up doing that anyway. As much as I like the idea of voting with my wallet against the whole industry, that way doesn’t get me my laptop.

If I do buy one, I hope I’m still welcome here.

[billpg]

Hi again everyone. Sincere thanks to everyone for responding. I was hoping my points would be challenged and you didn’t disappoint. Thanks.

My response to some points raised…

[quote1238441290=Don_Audio]
Some Quotes from the articles::
“Still, the attack is relatively sophisticated, and the attacker must have administrative rights to the targeted machine before he or she can flash the rootkit to the BIOS.”
[/quote1238441290]

Even though I use a limited user account day-to-day, I still have to use an admin account to install software.

[quote1238441290=Don_Audio]
Todays Chipset and BIOS Designs are way more sophisticated and varied so there is no simple “One-haxxors-All Super-Bios-Malware” that can be applied on 1000’s of different systems.
[/quote1238441290]

The malware could be written to attempt each BIOS it knows about one-by-one until one hits, then its in. I would doubt there is a lot of variation out there as each vendor isn’t going to completely redesign thier hardware from scratch every time.

[quote1238441290=Don_Audio]
From a Virus / Malware Developer point of view its simply not worth the effort. Apart from some Laboratory Security Geeks there is no Hacker who wants to spend ages on developing a BIOS Virus that wouldnt work for longer than maybe 2 Days in the wild just for Bragging rights.
[/quote1238441290]

Now here I would have to disagree. An attacker out to install malware for gain wants to get in and remain undetected. BIOS hosted malware wouldn’t be spotted living on the hard disk, could evade detection with VM techniques and would survive a hard disk wipe.

It may be just researchers now, but a lot of vulnerabilities start out as just research until someone puts in the effort to actively exploit them.

From the look of it though, a lot of mini-laptops have the same flaw (I would still call it that.) so I may end up with a NC10 after all.

[billpg]

Hello orb9220. All flash memory chips have a write enable line which has to be set before it will take take new data. A simple switch on the motherboard would protect the contents integrity.

Here’s some recent reports on the issue;
http://www.theregister.co.uk/2009/03/24/persistent_bios_rootkits/
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=216401170
http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html

Viruses that mess with the BIOS are very real and nothing new. CIH dates back to 10 years ago.
http://en.wikipedia.org/wiki/CIH_virus

I’m a bit depressed reading these responses, as I really wanted to buy a NC10. Without adequate BIOS protection, I would have to literally throw it away after the first malware attack. All for a feature I don’t even want. The job of the BIOS is to load the OS from the boot media. Load, copy, jump. If there was a bug in that code, we’d know about it by now.

In your response, you talk of a “reset BIOS”. Perhaps there is a pre-BIOS which *is* protected that checks the integrity of the flashed BIOS or allows me to replace a compromised BIOS with trusted code from Samsung. That would be quite acceptable and I’d make that the first step of my rescue process.

But if beach’s response is correct, and the BIOS is not protected from modification by malware, that is totally unacceptable and I would have to wonder what Samsung were thinking that day.

Many thanks, Bill.

[Author]

Posts